SECURITY ADVISORY

If you are using Yeemp 0.9.9 or earlier, upgrading is recommended.

A security hole has been discovered in the Yeemp instant messaging client.
Yeemp uses public keys both for message encryption and to provide a degree
of round-trip authentication for messages - each contact is given a unique
public key. Unencrypted messages are considered to be probably spoofed in
most circumstances; messages which are decryptable are checked to determine
if the key used to decrypt them corresponds with the public key supplied to
the claimed originator of the message. The initial public key request,
however, cannot be encrypted, and is implemented as a file transfer request.
The client was not checking the encryption on inbound files. As a result,
anyone could send a Yeemp client a file purporting to be from any sender.

While this by itself cannot be exlpoited to execute arbitrary code,
Yeemp accepts and attempts to display several media files with standardized
filenames by default; in conjunction with security holes in external libraries
or utilities, this could lead to the execution of arbitrary code. Yeemp uses
several external utilities, including netpbm and ogg123, to handle certain
media files.

Yeemp 0.9.10 fixes the spoofing vulnerability. In addition, if you have
Yeemp set to use subterfugue shoggoth sandboxes, 0.9.10 will use them around
netpbm and ogg123 calls, which should significantly mitigate the impact of
any unpatched or as-yet-undiscovered vulnerabilities in ogg123 and netpbm.

To the best of my knowledge, Yeemp 0.9.9 and all prior versions are
vulnerable. This vulnerability has been verified specifically on 0.7.2, 0.9,
0.9.4, 0.9.7, 0.9.8, and 0.9.9.